Search age:

Search in:

How Syrian hackers found New York Times' weak spot in Australia

Joshua Brustein

MelbourneIT, an Australian Internet service provider, said on Tuesday the credentials of a reseller had been used improperly to change domain settings and hack into sites including the NYTimes.com. Photo: Reuters

New York: A hacking attack by the Syrian Electronic Army may have targeted the New York Times and other US media companies, but the weak link was Melbourne IT Ltd., a domain registrar that directs Internet traffic to the companies' servers.

How can an assault on an obscure Australian Web-services provider lead to a more than 20-hour disruption at the Times' website?

Melbourne IT and other companies like it occupy a central space in the day-to-day workings of the Internet. When a person or business buys a domain name -- something catchy, like nytimes.com -- that human-friendly designation is assigned an IP address, which serves as the real hosting location website. For the New York Times, that IP address looks like this: http://170.149.168.130 (Click the numerical link, and you'll find the Times' website alive and well.)

Registrars such as Melbourne IT help direct the traffic from people typing in the URLs, saving us the trouble of remembering those clunky IP numbers. According to CloudFlare, a security firm working with the Times that posted a detailed description of yesterday's attack, Melbourne IT, which has a reputation for better-than-average security, is the sixth- largest domain registrar in the world with about 2.5 million registered domains. GoDaddy is the dominant company among registrars -- its 25 million domains give it a 31 percent market share.

For a short period, some people trying to read the latest news found themselves instead on another website containing malware. CloudFlare worked with the registrar maintaining the name server used by the attackers to shut it down -- a move that kept people from ending up on an infected site but didn't fix the primary problem knocking out the Times. Since yesterday evening, the newspaper has been directing readers to news.nytco.com, a version of its mobile site. The situation is close to being fully resolved, Eileen Murphy, a New York Times spokeswoman, said today.

The Syrian Electronic Army also claimed credit for similar attacks on Melbourne IT clients Twitter Inc. and the Huffington Post, also through the registrar's own system. But those sites stayed largely functional. A server on which Twitter keeps images was taken down, while the company's main website stayed up.

Reseller Account

According to CloudFlare, Twitter fared better because it had a registry lock in place, preventing Melbourne IT from making automatic changes to its registration. It's not completely clear how any the attacks breached Melbourne IT's system.

As CloudFlare explained: "An e-mail that Melbourne IT just sent to all its customers appears to indicate that the hackers somehow used a reseller account as part of the hack. While we are only speculating at this point, it's possible that there was a security vulnerability in the reseller interface that allowed a privilege escalation to take over control of other Melbourne IT customers."

The attack is a fresh reminder of how much all companies that rely on websites are vulnerable to the failings of other companies.

"You have a huge supply chain here," said Kenneth Geers, a researcher with FireEye Inc., a security company. "If an attack does their homework, then they can find the weak link in the chain and go after someone directly."

Failures aren't always malicious attacks. Over the weekend, several popular websites went down because of a faulty piece of hardware in an Amazon.com Inc. data centre.

Even before it became the centre of one of the more spectacular hacking attacks in recent memory, Melbourne IT was having an eventful day. Hours before the attack began, its chief executive officer said he was stepping down. And almost 24 hours after the Times first went down, a small taunt still remains on a page on Melbourne IT's own website, which now appears as a plain white page with a small message: "Hacked by SEA, Your servers security is very weak."